CVE-2026-11527
Received Received - Intake
Command Injection in Config::IniFiles Perl Module

Publication date: 2026-06-14

Last updated on: 2026-06-14

Assigner: CPANSec

Description
Config::IniFiles versions before 3.001000 for Perl allow OS command injection and file overwrite via a 2-arg open() of the -file argument in _make_filehandle. Config::IniFiles::_make_filehandle opens a filename argument with Perl's 2-arg open(), so a filename that begins or ends with a pipe ("| cmd", "cmd |") or begins with a redirect ("> path", ">> path") is run as a command or redirect rather than opened as a file. The helper is the open path behind the documented -file argument: new(-file => $thing) reaches it through ReadConfig. An in-memory scalar reference (-file => \$text) does not open a path and is unaffected. Any caller that forwards untrusted input to the -file argument can run an arbitrary command or truncate a file under the process UID.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-14
Last Modified
2026-06-14
Generated
2026-06-14
AI Q&A
2026-06-14
EPSS Evaluated
N/A
NVD
CVE-2026-11527
EUVD
EUVD-2026-36660
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
shlomif config_inifiles to 3.001000 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-73 The product allows user input to control or influence paths or file names that are used in filesystem operations.
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in Config::IniFiles versions before 3.001000 for Perl, specifically in the _make_filehandle subroutine. This subroutine uses Perl's two-argument open() call to open a filename, which can mistakenly interpret filenames containing shell metacharacters such as pipes ("| cmd", "cmd |") or redirects ("> path", ">> path") as commands or file operations instead of literal filenames.

As a result, if an attacker provides a malicious filename with these special characters to the -file argument, the system can execute arbitrary OS commands or overwrite files under the process's user ID. This happens because the open() call treats the filename as a shell command rather than a file path.

Impact Analysis

This vulnerability can allow an attacker to execute arbitrary operating system commands or overwrite files on the affected system with the privileges of the process running the Perl module. This can lead to unauthorized command execution, data loss, or system compromise if untrusted input is passed to the vulnerable -file argument.

Detection Guidance

This vulnerability arises when untrusted input is passed to the -file argument in Config::IniFiles versions before 3.001000, allowing OS command injection or file overwrite via a 2-arg open() call.

To detect exploitation attempts or presence of this vulnerability, you can look for usage of Config::IniFiles with untrusted input to the -file argument, especially filenames containing shell metacharacters such as pipes (|) or redirects (> or >>).

Since the vulnerability involves Perl code execution, monitoring logs for suspicious commands or file truncations triggered by Config::IniFiles usage may help.

Specific commands to detect this vulnerability are not provided in the resources, but you might consider:

  • Searching your codebase for usage of Config::IniFiles with the -file argument, especially with dynamic or untrusted input.
  • Using grep or similar tools to find filenames or parameters containing pipe (|) or redirect (>, >>) characters passed to Config::IniFiles.
  • Monitoring system logs or audit logs for unexpected command executions or file truncations related to the Perl process running Config::IniFiles.
Mitigation Strategies

The immediate mitigation is to update Config::IniFiles to version 3.001000 or later, where the vulnerability is fixed.

The fix involves changing the open() call in the _make_filehandle subroutine from a two-argument form to a three-argument form, which treats filenames as literal paths and prevents command injection or file truncation.

Until you can update, avoid passing untrusted input to the -file argument in Config::IniFiles, especially inputs that might contain shell metacharacters like pipes or redirects.

Review and sanitize any inputs that are forwarded to the -file argument to ensure they do not contain malicious characters.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11527. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart